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Quantum bit commitment has been known to be impossible by the independent proofs of Mayers, 
and Lo and Chau, under the assumption that the whole quantum states right before the unveiling 
phase are static to users. We here provide an unconditionally secure non-static quantum bit com- 
mitment protocol with a trusted third party, which is not directly involved in any communications 
between users and can be limited not to get any information of commitment without being detected 
by users. We also prove that our quantum bit commitment protocol is not secure without the help of 
the trusted third party. The proof is basically different from the Mayers-Lo-Chau's no-go theorem, 
because we do not assume the staticity of the finally shared quantum states between users. 

PACS numbers: 03.67.Dd, 03.67.Hk, 03.67.Mn 



I. INTRODUCTION 

As one of the most basic and important cryptographic 
primitives, a bit commitment (BC) scheme has a lot of 
applications to crucial cryptographic protocols including 
coin flipping, interactive zero-knowledge proof, oblivious 
transfer, verifiable secret sharing, multiparty secure com- 
putation, and so on [l|, 0, H, U [Ej6 L There have also 
been several quantum approaches [7|, l8( to guarantee the 
unconditional security of BC protocols, as quantum key 
distribution (QKD) protocols H,[l(| have done. Unfortu- 
nately, in the middle of the 1990's Mayers [H|,[l2j], and in- 
dependently Lo and Chau [l3[ (MLC) proved that quan- 
tum principles cannot be helpful to construct an uncon- 
ditionally secure BC protocol, in contrast to a brilliant 
development of QKD protocols [lj, [l5|, |l6|. The im- 
possibility of quantum bit commitment (QBC) is called 
the MLC's no-go theorem, which implies a severe draw- 
back of quantum cryptography. Since then, there have 
been several results about QBC protocols, some of which 
are for the possibility through new schemes and the- 
ories [13, H, Ell, others of which are for the trade- 
off relations between the possibility and the impossibil- 
ity gain. 

The most important assumption of the MLC's no-go 
theorem is that every QBC protocol results in a static 
quantum state, and thus both users exactly know about 
what it is before the unveiling time. For any initial states 
of Alice and Bob, \x)a (x = or 1 ) and \ip) B , the finally 
shared quantum state will be given as U ab{\x) a® W)b)' 
where Uab represents all the algorithms involved in the 
protocol and is necessarily opened and known to all par- 
ticipants. If the QBC protocol satisfies the perfect con- 
cealment, then by the Gisin-Hughston-Jozsa-Wootters 
(GHJW) theorem [22j there exists a local unitary op- 
eration Sa such that (Sa <8> I)Uab{\0) a ® I^)b) = 
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Uab(\1)a ® W)b)- By delaying the measurements and 
applying Sa to the local system, Alice is able to change 
her committed bit surreptitiously without being detected 
by Bob. This is the main stream of the MLC's no-go the- 
orem. 

However, we focus on the fact that Sa actually is given 
depending on the Bob's initial state \tp) B - So, it would 
be better to denote the Alice's strategy by Sa(^P) rather 
than Sa- Even though it is true that there exists an ex- 
act operation Sa(jP) f° r each \ip) B whenever the protocol 
is perfectly concealing, Alice could neither figure out nor 
make use of Sa(iP) appropriately, if \ip) B is randomly 
given and kept unknown to her. A QBC protocol to re- 
alize the above situation is here called a non-static QBC 
protocol. 

In this paper, by investigating the possibility and the 
impossibility of such non-static QBC protocols, we con- 
struct an unconditionally secure QBC protocol with the 
help of a trusted third party (TTP), and prove that our 
non-static QBC protocol is not possible without the help 
of a TTP. Although the existence of a TTP can be a weak 
point as in general cryptographic primitives, the TTP in 
our protocol plays only a little role to provide quantum 
sources to carry classical bit information. Moreover, the 
TTP is not actually involved in any communications be- 
tween users, and cannot get any information about the 
commitment without being detected by users. 



II. NON-STATIC QBC PROTOCOLS 

Hereafter we consider a more generalized version of 
QBC protocols which varies the resulting states accord- 
ing to the initial state \ip) B generated by Bob (or a TTP), 
and thus the strategy Sa(iP) <8> I by a dishonest Alice 
might be also changed according to \ip) B . One possible 
way to accomplish the above property is that Bob (or 
a TTP), instead of Alice, prepares and sends an initial 
quantum state \tp) B to Alice, where \ip) B should be kept 
unknown to Alice. Then Alice applies an associate uni- 
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tary operator to \ip) B to commit a bit x- 

For example, suppose that when x = 0, Alice chooses 
one of M and N randomly, and similarly when % = 1, 
one of J and K randomly, where M, N, J, and K are 
defined as 



a certain fixed attack by Alice cannot be available for 
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J 
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[I + i(<7 x -(Ty+ <7 Z )} 
[I + i(<7 x +(T y - <7 Z )} 



(1) 



where a x , a yi and a z are the Pauli matrices. To guar- 
antee the randomness, Alice prepares an auxiliary state 
- — -'- and then she applies a unitary op- 
M + \l) A (l\ ® N (if X = 0) or 

>) a so 



^'a - — 7T 
erator either |0) A (0| 

|0) A (0|® J+\1) A (1\®K (if X = 1) to \+) A 
that she finally obtains the following states 



I*o(V0)ab = 



\0) A ®M\iP) B + \l) A ®N\i>} 1 
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and 



|0> A ® Ji- 



ll), 
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(2) 



By performing the standard measurement on her local 
system Ha, Alice provides Bob with an uniformly dis- 
tributed ensemble, either £o(V0 = {M\tp) B , B } or 
frty) = {J\i/j) B ,K\ip) B } as shown in TABLE I. 



TABLE I: The change of the initial states \4>) B = m\0) B + 
n\l) B (\m\ 2 + \n\ 2 — 1): It shows how the initial states \ip) B 
are transformed by unitary operators M, N, J, and K ran- 
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Without an additional information about the ensem- 
bles, Bob will regard them as a density operator, either 
PoWO = (M|V) B (^|Mt +N\i/;) B {1>\Nl)/2 or Pl (^) = 
{J\il>) B {il>\f + K\^) B {^)/2, respectively. 

Let us consider the cases that \ip) B = \0) B and \ip) B = 
\+) B - It is very easy to show that po(ip — 0) = Pii^P — 
0) = po(t]j = +) = p\(ip = +) = 1/2. However, we 
can ask a question such as "Is there any proper strategy 
S A to change not only \® (ip = 0))ab to = °))ab 

but also |$ o (-0 = +))ab to = +)>ab ? " The answer 

is NO. In fact, up to the left multiplication of diago- 
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nal matrices, Sa(iP = 0) should be 



V2 U -1 



while 



SaU* = +) should be 
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This means that 



all 
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and therefore Alice should be able to choose a 



strategy appropriate to an unknown \tp} B . 

However, this example has a problem that the QBC 
protocol is not perfectly concealing. If Bob prepares the 



initial state as 



|0> B +i|l> J 



, then he can know Al- 



ice's commitment in advance, because po and pi are ob- 
viously different. To solve this problem, we employ a 
TTP, and then investigate the securities of QBC proto- 
cols with and without the help of the TTP in the next 
two subsections. 



A. Non-static QBC Protocol with a TTP 

Alice and TTP previously share Af maximally entan- 
gled states \^^) TA = (|01) TA — |10) TA )/\/2 satisfying 
\^~) TA = (U <g> U)\^>-) TA up to the global phase for all 
unitary operators U. 

(i) [Pre-Commitment] TTP performs random orthogo- 
nal measurements M t = {\<j>i) T ((fii\ T , T {(j)f\ T } (1 < 
i < A/) on his side of |*~) TA 's. Then Alice and TTP 
always have the opposite state, that is, if TTP's result 
is \4>i) T {\<f>i~) T ), then Alice must have \ipi) A = \4>t) A 
{\4>i) A )- However, Alice does not know what \ipi) A s are 
actually, because TTP keeps Mj unknown to her. 

(ii) [Commitment] To commit a bit x, Alice encodes x 
into \ipi) A by applying an operator Pj randomly chosen 
from M, N, J, and K as follows. If Alice wants to com- 
mit 0, then she sends Bob M\ipi) A or N\ipi) A at random, 
and if she wants to commit 1, then she sends J\iji%) A and 
K\tl)i) A randomly. 

(iii) [Holding Phase] It proceeds without doing any- 
thing for a certain period which users agreed with at the 
beginning stage of the protocol. 

(iv) [Unveiling Phase] At a specific later time, Alice 
publicly announces all Pi's and then TTP all Mi's and 
measurement outcomes. Then Bob verifies the commit- 
ment by checking whether the measurement outcomes 
are always opposite or not, when he performs M,'s on 
P}Pi\^i) A - If Alice is honest, then the measurement out- 
comes should be opposite for all i. 

In step (ii), as noticed previously, by using the an- 
cillary state and the non-local unitary operations 
such as |0) A (0| <g> M + \1) A (1\ <g> N and |0) A (0| <g> J + 

"o) A 'A = 



1 1)^4 (1 1 £g> K according to x, Alice obtains |$ 



\l) A ,®N\^) A )/^2 



I A' A 



and \<b±) 
A ) j\pl. However, due to 
xi A'A wm ^ e cnan g e d every 



{\G) A ,®M\i,) A 

do) A ,® m A + \\ „ 

the randomness of A i 
time. These states can come to not only product states 
but also maximally entangled state. So, Alice could not 
control the relation between |$o)a'a an d I^i)a',4 as sne 
wants, without the knowledge of A s (actually Mi's). 

Of course, we need to calculate the success probabil- 
ity of the delayed measurement attack proposed in the 
MLC's no-go theorem, which can be measured with the 
fidelity F(\ip), \<j>}) — \(ip\(j)}\ 2 . Suppose that, to change 
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the committed bit from to 1, Alice applies a local uni- 
tary operation \ ] . The success probability is 
\c d 



F = -{F(aM[i 
+F(cM\ip) j 



) A + bN\^) A ,J\<t>) A ) 
+ dN\i>) A ,K\4>) A )}, 



(3) 

and therefore, in the Bloch representation, \ip) A — 
cos(6»/2)|0) A + e^sin(6»/2)|l) j4 (O<6><tt,O<0< 2tt), 
the expected success probability is 
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(4) 



where z is the complex conjugate of a given complex 
number z. Since the protocol is repeated M times, Al- 
ice's attack is detected with the probability greater than 
1 - (2/3)^ which goes to 1 as Af ->• oo. That is, this QBC 
protocol satisfies the asymptotic bindingness, where the 
level of security follows as noticed in [20( . 

We should also consider the concealment. One of the 
assumptions of our protocol is that Alice and TTP previ- 
ously share the singlet states. This means that Bob has 
no way to interrupt the quantum channel between them 
to get some information. That is to say, Bob should gain 
information about the commitment from only quantum 
states given by Alice. Another assumption is that TTP 
should choose Mi's at true random. So, the finally en- 
coded states will appear to Bob as 1/2, which guarantees 
the perfect concealment. 

To transmit only digital information through classical 
channels, TTP can choose the bases of M,'s in a dis- 
cretized subset of the Bloch space. For instance, TTP 
can select finite points uniformly dividing the sub-circle 
spanned by |0), |1), |+) and |— ). Since our protocol sat- 
isfies the perfect concealment for all initial states 1^)^ 
such that mn £ K, so do all points in the sub-circle. Of 
course, the success probability will be changed a little 
bit but less than 1, and therefore this protocol still sat- 
isfies the bindingness. Such a restriction on the domain 
of initial states gives us one more advantage, which pro- 
hibits TTP from generating the initial states such that 
mn (jz. R and knowing Alice's commitment in advance. 
TTP should always announce Bob the right information 
about his measurements, because if TTP announces dis- 
honestly, then the measurements in the wrong bases will 
make a disturbance on the correlation between Alice and 
Bob, and thus the dishonest behavior will be detected by 
users. 

In result, the quantum entanglement shared between 
Alice and TTP guarantees not only the non-staticity, but 
therefore also the unconditional security of our protocol, 
which cannot be realized by the classical cryptographic 
theories. 



B. Non-static QBC Protocol without a TTP 

We here deal with a self-enforcing QBC protocol (with- 
out a TTP), which is slightly modified from our previous 
QBC protocol like that Bob, instead of TTP, generates 
initial quantum states b anc ^ Alice applies unitary op- 
erators to B to commit x- 

The following lemma is a necessary and sufficient con- 
dition for our self-enforcing QBC protocol to be perfectly 
concealing against Bob using any kind of quantum entan- 
gled state \^) BB r on the extended system TCb ®Hb'- 

Lemma 1. A non-static QBC protocol is perfectly con- 
cealing for all qubits \ip) B and all entangled state \^) BB , 
if and only if M , N , J, and K should satisfy the following 
equations 

M|0) B <0|Mt+AT|0) B (0|iVt = J\0) B (0\J^ +K\0) B (0\K\ 
M\l) g (l\M^+N\l) B (l\N^ = J|l) B (l|J t + K\l) B {l\K\ 

and (5) 
Af|0) s (l|A/t + A|0) B (l|iVt = J|0) B <l|jt+if|0) B <l|#t. 

Proof. By a direct calculation, we first prove that the 
above condition is a necessary and sufficient condition 
for po(ip) = Pi(ip) for ah qubits \tp) B = m\0) B + n\l) B . 
It is very clear that if M , N, J, and K satisfy Eq. (5), 
then po(ip) = Pi(ip)- Conversely, we should show that 
all M, N, J, and K such that po(ip) = /Oi(V>) sat- 
isfy Eq. (5). The first two equations of Eq. (5) can be 
easily derived from the cases that m ^ 0, n = and 
m = 0,n^0. Therefore, M, N, J, and K should even- 
tually satisfy Re (mn(M|0) B (l|Mt + N\Q) B {1\N^)) = 
Re(mn(J|0) s (l|jt + K\0) B {1\K^)) , for all m and n. 
Considering the cases that m = n = 1 and m = 1, n = i, 
we can obtain the third equation of Eq. (5). It is triv- 
ial to extend the necessary and sufficient condition to all 
bipartite entangled states \®) BB t on TL B ® Hb' , where 
dimTiB = 2 and dimTi.B' is arbitrary, because \^) B b' 
has the Schmidt decomposition [23[ and we can regard 
|0) B and as eigenvectors of the density operator 

tr fl ,(|*) Bfl ,<*|). □ 

In addition, we also figure out what kind of unitary 
operators M, N, J, and K are able to satisfy the perfect 
concealment, that is, the necessary and sufficient condi- 
tion given in Lemma [1] Unfortunately, Theorem tells 
us that there is a strategy for Alice to cheat the commit- 
ment freely, regardless of whether she knows the initial 
quantum states or not. 

Theorem 2. If a non-static QBC protocol is per- 
fectly concealing, then there exists a local unitary op- 
erator Sa = I a ^ 
\c d 

K = cM + dN. 



such that J = aM + bN and 



Proof. Considering the orthogonality and the GHJW the- 
orem for the perfect concealment, we can let M , N, J, 
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TABLE II: The parametrization for the unitary operators 
M,N, J, and K satisfying that po(tp) = Pi(V0 f° r an IV')s : 

M 2 + bl 2 = 1 (V + 0), |q| = 1, [ a b ) ,( S * J : unitary 



Operators 


|0> s 


|1) B 


M 


|0> B 




iV 


«|0> s + 3/|l) B 


Q (y|o) B -*|i) B ) 


J 


(a + te)|0) fl + &y|l) B 


iay|0) B + (s — tax)\l) B 


if 


(c + da;)|0> B +dy|l> i3 


vay\0} B + (u- vax)\l} B 



TABLE III: The reparametrization of TABLE II for the uni- 
tary operators M,N,J, and K satisfying that rank(po(V' = 
0)) = 1: 

|j| = |fc| = |i| = |m| = l, |a| = |/?| = | 7 | = |*| = 1 



Operators 


|0> s 




M 


i|o) s 




N 


i|0> B 


m\l) B 


J 


«|0> s 


m B 


K 


7|0) B 





and K be unitary matrices as shown in TABLE II, with- 
out loss of generality. In this case, it is obvious that M, 
N, J, and K satisfy the first two equations of Eq. (5). By 
the third equation of Eq. (5), all parameters in TABLE 
II should follow that 

axy = (a + bx)tay + (c + dx)vay, 
—yax = by(s — tax) + dy(u — vax), 



1 — ax 



(a + bx)(s — tax) + (c + dx)(u — vax), 



ay = by ta + dy va. 



(6) 



We first consider the case that po(ip = 0) is invcrtiblc (of 
rank 2), that is, y ^ 0. Eq. (6) can be rewritten as 



1 = as + cu, 

= bs + du, 

= at + cv, and 

1 = bt + dv. 



This means that 




1 0" 
.0 1, 



(7) 



that is, 




s t 



. Therefore, there exists a unitary op- 



a b 



erator I " I such that J = aM+bN and K = cM+dN. 
V V 

Let us consider the case that the rank of po (tp = 0) is 1, 
that is y — 0, where we can reparameterize M, N, J, and 
K as shown in TABLE III. For the perfect concealment, 
the parameters should satisfy 



jk + Ira = a(3 + jS. 



(8) 



If jk + then jk = a/3, Im — 7<5 or jk = j5, Im = 

a(3, because of the unity of parameters. This property 
means that the matrices have the relations such as Ma 
J,NocKorMocK,NocJ, where A oc B denotes 
A = cB for a constant c. Therefore, the commitments 
according to x' s are actually same and thus make no 
sense. If jk+lm = 0, under the assumption that jk ^ Im 
(Otherwise, for all quantum states \ip) B , rank(po(V')) = 
rank(/?i (?/>)) = 1, and thus M oc N oc J oc K, which 



is meaningless.), we can find a unitary operator 



a b 



such that J = aM + bN and K = cM + dN, where a, b, 
c, and d are given as 

1(3 — ma , ka — j(3 IS — mj 
a = — 7 , o = — — , c = — r , and 



d = 



Ik — mj Ik — mj Ik — mj 
k-f - jS 



Ik — mj 
This completes the proof. 



□ 



By using Sa <8> I, Alice can freely exchange unitary op- 
erators M and N with J and K so that she can cheat her 
committed bit with certainty without being detected by 
Bob. Therefore, we can find out that, even though dis- 
honest Bob makes use of arbitrary dimensional ancillary 
system, if Alice and Bob communicate through the only 
two-dimensional channel, then any non-static QBC pro- 
tocols we propose are not secure, and in fact, the perfect 
concealment makes the non-static QBC protocol static 
without the help of a TTP. 



III. CONCLUSION 

We have dealt with a new QBC scheme which can be 
not static so that the final quantum states are determined 
randomly and kept unknown to all participants until the 
unveiling phase. However, we would like to emphasize 
that our QBC scheme does not oppose the MLC's no-go 
theorem, but ensures its security only by enforcing Alice 
to change the attack strategy according to the unknown 
initial quantum information. 

We have shown that it is possible to construct an un- 
conditionally secure QBC protocol with the help of a 
TTP, where the role of the TTP can be limited not to 
get any information of the committed bit in advance and 
actually users can perceive any dishonest behaviors of 
the TTP. Unfortunately, we have also proved that the 
non-static QBC protocol is not secure without the help 
of the TTP. In a self-enforcing non-static QBC protocol, 
the necessary and sufficient condition for the perfect con- 
cealment eventually makes the QBC protocol static. It 
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would be important to check if we can extend the impos- 
sibility of the self-enforcing QBC protocols to the cases 
with no limits on the dimension of quantum channels and 
the number of the quantum states in ensembles. 
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